我正在尝试使用kerberos KeyTab身份验证和JAAS配置连接到Impala DB。
我已经可以通过将系统属性-“ java.security.auth.login.config”设置为JAAS配置文件来连接到Impala DB。而且效果很好。这是工作代码:
System.setProperty("sun.security.krb5.debug", "false");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");
System.setProperty("java.security.krb5.conf", krb5ConfPath);
System.setProperty("java.security.auth.login.config", jaasPath);
org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration();
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(principal, keyTabPath);
DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create(DatabaseConfig.class.getClassLoader());
return dataSourceBuilder.build();
问题是JAAS配置需要密钥表文件的绝对路径。就我而言,此路径将因环境而异,我不想为每个环境维护不同的jaas.config。
因此,我采用了编程方式来生成JAAS配置。我能够创建“ javax.security.auth.login.Configuration”对象并使用
进行设置
javax.security.auth.login.Configuration.setConfiguration(jaasConfig);
但是当我使用此更改运行代码时,它无法选择JAAS配置,并且失败,并出现以下异常:
无法获得JDBC连接;嵌套异常为 java.sql.SQLException:[Simba] ImpalaJDBCDriver错误 使用票证缓存创建登录上下文:无法获取主体 认证名称。
请问谁能解释为什么通过System属性设置配置时代码可以正常运行,而通过编程方式设置却无法正常工作。
System.setProperty("sun.security.krb5.debug", "false");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");
System.setProperty("java.security.krb5.conf", krb5ConfPath);
javax.security.auth.login.Configuration jaasConfig = createJaasConfig(keyTabPath);
javax.security.auth.login.Configuration.setConfiguration(jaasConfig);
org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration();
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(principal, keyTabPath);
DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create(DatabaseConfig.class.getClassLoader());
return dataSourceBuilder.build();
这就是我创建JAAS Config的方式:
private static javax.security.auth.login.Configuration createJaasConfig(final String keyTabPath) throws Exception {
// Create entry options.
Map<String, Object> options = new HashMap<>();
options.put("useTicketCache", "false");
options.put("doNotPrompt", "true");
options.put("useKeyTab", "true");
options.put("debug", "false");
// options.put("storeKey", "true");
options.put("principal", "user@DOMAIN.COM");
options.put("keyTab", keyTabPath);
// Create entries
AppConfigurationEntry[] entries = {
new AppConfigurationEntry(
Krb5LoginModule.class.getCanonicalName(),
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options
)
};
// Create configuration
return new javax.security.auth.login.Configuration() {
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
return entries;
}
};
}